The Internet has experienced, and will continue to experience, explosive growth. As originally designed, the Internet was to provide a means for communicating information between public institutions, particularly universities, in a semi-secure manner to facilitate the transfer of research information. However, with the development and provision of user-friendly tools for accessing the Internet, such as the World Wide Web (the Web), the public at large is increasingly turning to the Internet as a source of information and as a means for communicating.
Because of the growth of the Internet and corporate intranets, the services provided over networks have become more diverse and sophisticated. As a result, increasingly complex schemes have been developed to respond to client generated network traffic and to service client requests. In some of these schemes, a single device is placed on the network that is responsible to direct packets to other devices or to filter packets that are bound for a number of other devices for some purpose such as security or load balancing. Such devices, when implemented, are critical to the operation of a network because they often represent a single point of failure that may prevent either the entire network or a substantial portion of the network from functioning.
Provision of a Web home page involves establishing a user accessible file at a Web site. The Web site can be established either on a computing system on the premises of the business or institution that providing the home page, or by contracting to have the home page built and supported on the computing facilities of an Internet Service Provider (ISP).
Use of a company's computing system for support of a publicly accessible system, such as a Web site, can present a threat to the company's internal systems that share the same computing platform or are connected to the publicly accessible computing platform. Furthermore, in cases where sensitive information is transmitted over the Internet to a company, such information is usually stored on the same computing system that is used for running the on-line Internet system. Handling of such information over a public network such as the Internet requires some measure of security to prevent the information from being intercepted. However, a more important consideration is maintaining the security of such information once it is received and stored in a computing system that is connected to the Internet.
Most computer crime is not in the form of data interception, but involves a network intruder, or “cracker” entering a publicly accessible computing system and subverting security systems to access stored information. In the recent past, there have been several publicized cases where crackers have stolen proprietary information from purportedly secure computers over the Internet.
In many cases where a publicly accessible application, such as a Web home page, is set up on a business or institution's premises, it is grafted onto an existing computing system. The existing system also may contain other computing resources, such as databases and/or internal network systems that are not intended for public access. Provision of a publicly accessible on-line system, such as a Web server, on such a system can provide a scenario that can be exploited by network intruders who may attempt to reach systems beyond the Web server using it, or other systems bundled on the computing platform, as access paths. A company or institution may attempt to protect these surrounding systems by password protecting them or by concealing them from the public with a system called a firewall.
The term “firewall” was coined in the computer network art to describe a system for isolating an internal network, and/or computers, from access through a public network to which the internal network or computers are attached. An example of a firewall system is described in U.S. Pat. No. 6,061,797. The purpose of a firewall is to allow network elements to be attached to, and thereby to access, a public network without rendering the network elements susceptible to access from the public network. A successful firewall allows for the network elements to communicate and transact with the public network elements without rendering the network elements susceptible to attack or unauthorized inquiry over the public network.
Firewalls have become an integral part of a network that is connected to the Internet or other wide-area network (WAN). As mentioned before, as network traffic increases—and the increased economic importance of that traffic—so does the need for increased security. To alleviate the demand on any one machine, and to prevent any single device from being a single point of failure, firewalls have been duplicated to form a firewall “bank.” Multiple firewall machines can be operative within the firewall bank in order to distribute the firewall workload among multiple machines in order to increase performance.
Firewall banks have created a need for methods and devices that balance the workload among the elements of the firewall bank. These devices are called firewall load balancers. In a typical configuration, there are firewall load balancers on either side of the firewall bank. The firewall load balancer that sits outside (i.e., on the Internet side) of the firewall is used to balance incoming traffic among the firewalls within the firewall bank. Similarly, the firewall load balancer that sits on the inside portion of the firewall is used to balance the load emanating from the servers that are servicing the requests originating from outside the firewall.
Crackers have been known to inundate a port, such as a telnet, http, or ftp port, with large numbers of slightly varying access requests in order to consume available memory and CPU cycles on the attacked device. This method of attack is known as a “denial of service attack.” Specifically, the attacked device is inundated with requests that consume its resources and either cause it to crash or otherwise to slow down to the point where it cannot service legitimate requests. A more comprehensive discussion of denial of service attacks is presented by the CERT Coordination Center and is available on the Internet at <http://www.cert.org/tech_tips/denial_of_service.html>. The typical response to a denial of service attack is to have the operating system (OS) shut down the targeted port for a period of time, thereby denying the service of that port both to the attacker and, unfortunately, to legitimate customers. This defensive response is necessitated by the inefficiency of conventional port processing. The chain of processes associated with monitoring, managing, and verifying port connections is very inefficient. Consequently, the conventional defense is to have the OS shut down the port for a period of time. This security technique prevents entry into a system through that port and restores the availability of system resources to the remaining ports. This defensive measure is unacceptable because it concedes defeat (i.e., the denial of service) to the attacker.
Aside from the packet flooding tactic, other denial of service attacks entail the disruption or overwhelming of components within a computer system. Firewalls can become a target of the attacker as well because if the firewalls are disabled, the connection to the wide-area network is also disabled. From an attacker's standpoint, this is equally as effective as disabling the servers. As firewalls are vulnerable to the denial of service attack, so too are their load balancers. The firewall load balancers also may be inundated with the denial of service's packets and exhaust their resources. There is, therefore, a need in the art for a firewall load balancer that can operate effectively while conserving resources so that it can withstand a denial of service attack.